Germany’s strict “consent for marketing” laws now fully in force

A three year transition period allowed marketers by the Federal Data Protection Act 2009 has expired. Now there is no hiding place for German marketers when it comes to consent rules as Dr Ulrich Baumgartner and Georg Meyer-Spasche of Osborne Clarke Germany report.

Topic: Direct Marketing

Who: Any company using personal data for direct marketing

Where: Germany

When: 1 September 2012

Law stated as at: 1 September 2009

What happened:

On 31 August 2012, the last transition period of the Second Amendment Act to the German Federal Data Protection Act (“Bundesdatenschutzgesetz” or “BDSG”) expired. The Second Amendment Act of 1 September 2009 (Amendment II BDSG) granted a three year transition period for data collected or saved prior to 1 September 2009. Since this transition period has expired, the amended law now applies to all stored data.

Companies must now not only ensure that the origin of each data set used for marketing purposes is documented, but also prove that there is a valid consent covering these marketing purposes. Even though Amendment II BDSG came into force already back in September 2009, many German companies might not have really started to clean up their databases. It is now high time to get started in order to meet the new requirements.

Why this matters:

Amendment II BDSG intended, inter alia, that fairly strict conditions must be met in order to compliantly use personal data for marketing purposes. The specific rules for direct marketing are:

as a matter of principle customers' consent is crucial: the usage of any data set requires explicit consent, with some narrowly defined exceptions;

each consent declaration of each individual must be recorded / documented;

if consent was given in electronic form, the provider must ensure that the individual can easily access and revoke the consent any time with future effect;

if consent was given in any form other than in written or electronic form, the controller must provide the individual with a written form of confirmation;

in terms of direct marketing (other than mass mailings through classic postal services), the controller must ensure that the consent explicitly includes the receipt of marketing communications; this has to be recorded / documented as well; and

the data controller must inform the individual about i) the legal basis for the data processing and ii) who actually processes the individual's data. Furthermore the individual has to be informed about the right to withdraw consent.

To fulfil the requirements, first and foremost all stored personal data needs to be audited with regard to whether or not the above consent requirements are met.

For all data sets that miss the requirement, e. g. because there is no such recorded consent, it should be checked whether holding and processing such data falls under one of the few and comparatively narrow exceptions granted in the BDSG so that no consent is required. If no such exception applies to the relevant data, the company should try and heal the data by obtaining the consent now. Obviously, such assessment and healing steps take time and it is hence advisable to get the audit started as soon as possible – to avoid the worst case scenario that could mean having to delete the affected data.

The above clearly means having to invest considerable effort. Ignoring these legal requirements does not really seem to be an appealing option either, because fines can reach up to EUR 300,000 per case. Authorities could be triggered into taking enforcement action by for example competitors. Consumer protection organisations could also get active and seek infringements from companies in breach of these data protection requirements.

Finally, the market value of a company may also be affected by the unlawful use of data.

The quality of a company´s customer database can be a material factor in assessing its market value. In all likelihood, the near future will show that compliance with the above, and in particular the ability to produce evidence of the required consents, will be an important factor when assessing the value of a customer database. This will have an obvious effect on company acquisitions and achievable share prices.

Compliant customer data is thus not just important to avoid liabilities and fines. It is an actual asset for a company and affects its market value. Companies should secure their assets.